Configuring folder permission for users

The folder permission control feature provides the ability to configure different folder permissions for each user. This limits user-only access to and operations on authorized folders or "Shared directories". It also supports “path” mode when submitting jobs This feature avoids copying input files between different locations and uses the selected file or folder as an input file directly.

Configure the shared directory

An Administrator must configure the ShareDirectory node in $PMC_TOP/gui/conf/Repository.xml:

<?xml version="1.0" encoding="UTF-8"?>
        <!-- AccessLimit: Flag for enabling folder permission control. Default is true. -->
            <!-- User: Required. Sets the repository owner. Can be "all" or legal Linux user. -->    
            <!-- Path: Required. Sets the repository path to access. Can use system variable such as $HOME. -->
        ShareDirectory: Optional. Sets one or more shared directories to access.
            Name: Optional. Sets the alias name for display.
            Host: Optional. Sets the host name for accessing a remote host.
            Path: Required. Sets the share path to access. Can use system variable such as $HOME.
            ActionWrapper: Optional. Sets the script file used to access the folder.
Note: Repository.xml does not support Windows host names and paths.
Tip: In IBM Spectrum LSF Application Center and later, when <AccessLimit>true</AccessLimit> is defined, an Administrator can configure shared directory permissions for Normal users with the User Roles & Permissions page in the Systems & Settings tab: System & Settings > Settings > User Roles & Permissions > View: Role Definition > Normal User > Shared Directory

Below is an example for an ActionWrapper script file. It uses expect to connect to a remote host via ssh automatically.

set cmd [lindex $argv 0]
set myhost "host2"
set myuser "user"
set mypass "pass"
# variable to use system variable in script
#set user "$env(USER)"
#set host "$env(HOSTNAME)"
spawn ssh $myuser@$myhost $cmd
expect {
  "(yes/no)?" {
    send "yes\n"
    expect "*assword:"
    send "$mypass\n"
  "*assword:" {
    send "$mypass\n"
expect eof
Note: If the ActionWrapper is configured to access a remote host via a script file, “Edit”, “Upload” and “Download” operations will fail on the Workload > Data page because it cannot get the correct host information. Also, the “Move to”, “Copy to” and “Copy from” operations are not supported between hosts.

Configuring folder permissions for users and roles

  1. As an Administrator, go to System & Settings > User Roles & Permissions.
  2. Expand the Permissions column.
  3. The Permissions column will show the folder path that was configured in Repository.xml.

    By default, the Application Center Administrator and Cluster Administrator roles have all permissions (View, Control, and Configure) for all the “Shared Directory” resources. Other roles have only View permission for “Shared Directory” resources.

  4. Edit the permissions for a “Shared Directory” resource for each role and individual users.
    Note: IBM Spectrum LSF Application Center only checks permissions configured in the User Roles & Permissions page. It does not check the permissions at the OS level. Ensure the user has correct read/write permissions on the shared directory.

Using Shared Directories

After the ShareDirectory and Permissions are configured, IBM Spectrum LSF Application Center will limit access to only the folders that are configured in Repository.xml and limit authorized actions based on a user's permissions.

IBM Spectrum LSF Application Center pages that access a server’s files include:
  • Workload > Data page
  • File browser pop-up windows in the Submission form page
  • File browser pop-up windows in the Application template edit page

In the Data page and file browser pop-up windows, all the folders configured in Repository.xml are listed under Shared Directories if the user has view or greater permission. If there are multiple folders on the same host, those folders are grouped under a host node.

To support “path” mode, open the file $PMC_TOP/gui/conf/pmc.conf and change the value of the ADD_SERVER_FILE_TYPE parameter to path. In a Submission form, when selecting a server file, IBM Spectrum LSF Application Center uses this file directly instead of a copy or link to it.